Infiniti and reverse proxy

Introduction

Overview

There would be business scenarios in which a user would want to use Infiniti in a 3-tier architecture, with a load balancer/reverse proxy, webserver and database server. This guide has been designed to assist Infiniti administrators in the setup and configuration of such an environment. The installation of the Infiniti software is out of scope. This guide just goes through the setup of a 3-tier, load balancer/reverse proxy environment

In this guide, we use the features ‘Application Request Routing [ARR]’ and ‘URL Rewrite’ in Internet Information Service (IIS), to implement the reverse proxy environment.

Installation Steps

Click on the ‘Install Now’ button. The webpage prompts the user to either ‘Run’, ‘Save’ or ‘Cancel’the application Installation request:

Click on the ‘Run’ button:

Click the ‘Install’ button to proceed with the installation.

Click on the ‘Options’ link. Make sure the default options are correct. If not correct them.

Click ‘OK’. All the dependencies for the software get installed as required:

Select ‘I Accept’ to continue. The installation will continue as shown below:

Please wait until the software installation is completed successfully. This may take few minutes.

Click the ‘Finish’ button to complete the installation process.

To verify the successful installation of the feature, please open IIS. A new node Server Farms should now be visible in the Connections pane:

Configuring the Server Farm

Overview

This chapter guides you through the process of configuring Microsoft’s Application Request Routing (ARR) version 2.5 to act as a reverse proxy / 3rd tier.

Create server farm in ARR

Launch IIS Manager

ARR is a server level feature. Select and expand the root of the server:

Right click on ‘Server Farms’ and then select ‘Create Server Farm’:

Enter a name. In this example, myServerFarm is the name :

Click ‘Next’.

The next step is to add servers to the farm. On this page, add as many application / web server(s) as needed. The ‘Advanced options’ allows the user to configure non-standard HTTP / HTTPS ports:

Click ‘Finish’.The user will be prompted with a request for automatic creation of ‘URL rewrite rules’ for the server farm just created:

Click ‘Yes’.

The user has now successfully created a server farm with the required application servers as its members

To verify / view the rules, select and expand the root of the server. Click on the ‘URL Rewrite’ icon in the middle pane.

The ‘URL rewrite rules’ should be visible

Configuring the Server farm properties

After the server farm has been created and defined, additional properties can be set to manage the behaviour of ARR. Only the basic settings are discussed here.

Select the newly created server farm, myServerFarm​.

The following icons should be visible:

To change the load balance algorithm, double click on the icon ‘Load Balance’.

The default is ‘Least current request’:

For our example, select the ‘Weighted round robin’ algorithm in the drop down menu. For the load distribution, select ‘Custom distribution’ and change the values to a desired level:

To monitor the runtime statistics, click on the icon ‘Monitoring and Management':

Server Affinity

Application Request Routing provides a client affinity feature that maps a client to an Application server behind Application Request Routing for the duration of a client session. When this feature is enabled, the load balancing algorithm is applied only for the very first request from the client. From that point on, all subsequent requests from the same client would be routed to the same content server for the duration of the client session. This feature is useful if the application on the content server is stateful and the client's requests must be routed to the same content server because the session management is not centralized.

Launch IIS Manager

Select the server farm created

Double click on the Server Affinity icon

To enable Client affinity, check the box besides it and then click Apply

Application Request Routing uses a cookie to enable client affinity. The Cookie name will be used to set the cookie on the client. So the client must accept cookies for client affinity to work properly

To verify the functionality of client affinity, send several requests to the ARR server. Refresh the dashboard in IIS Manager (Monitoring and Management). The runtime statistics would be changing for only one of the application servers to where the client is affinitized. You may test by sending additional requests from different client machines and refreshing the dashboard, as needed

ARR and Infiniti with Windows Authentication

Overview

Setting up the Reverse proxy to work with Windows Authentication is not a simple task; it requires few complicated configuration changes on the Application servers, Reverse Proxy and the Domain controller as well.

This chapter guides you through the process of configuring ARR and Infiniti to work in windows authenticated mode.

Prerequisites

It is assumed that the Infiniti software is installed on the Application server in Windows Authentication mode. If there are more than one application servers, then the set-up has to be done on all the application servers. It is assumed that the setup has been verified on all the application servers.

You might need administrative privileges on the Load balancer / Reverse Proxy server, all the application server and Domain Admin access on the Domain controller for the domain

Changes on the Application servers

The below steps has to be performed on all the Application servers

On the Application server, please change all your Infiniti App Pools to use a domain user account (domain\appPoolUser)

Make sure all Infiniti Applications are still setup Windows Authentication mode

Make sure the windows authentication settings matches the following configuration

Open an elevated command prompt (i.e. command prompt with Admin privileges )and run the following commands to stop the IIS services

o Net stop was /y

o Net stop wmsvc

Go to the system folder %windir%\system32\inetsrv\config\ and open up ApplicationHost.config using notepad or any other editor

Update the Windows authentication element under it by adding the attribute useAppPoolCredentials="true". After making the change the windows authentication element would look similar to

<windowsAuthentication enabled="true" useAppPoolCredentials="true" />

Repeat the steps 6 & 7 for all other Infiniti applications

On the elevated command prompt, execute the following commands; this is to register Service Principal Names [SPN] for the App Pool User

o Setspn -s HTTP/<App Server’s NetBIOS Name> DOMAIN\APPPOOLUSER

o Setspn -s HTTP/<App Server’s FQDN> DOMAIN\APPPOOLUSER

To check for the duplicates, please run the setspn –L command for APPSERVERNETBIOSNAME to find out all defined SPNs. Then use Setspn –d to delete the duplicate ones. Only the HTTP SPN duplicates needs to be deleted

On the elevated command prompt run the following commands to start the IIS services

o Net start w3svc

o Net start wmsvc

Open a browser and browse to the application using the below URLs

o Localhost

o Appserver’s NETBIOS name

o Appserver’s FQDN

They should all work. If they did not, then you have duplicate SPNs. Please correct them and test again.

Another thing to be wary of is, if you do not add the site to your Intranet sites or Trusted sites on the browser’s security settings, then you might be prompted for user credentials again and again

Changes on the Reverse Proxy server

The below steps has to be performed on the Reverse Proxy server

Keep the default authentication settings. i.e. Make sure the default website has the Anonymous access enabled

Please set up a simple test page on the App servers with anonymous access enabled and make sure it works thru the reverse proxy

Open an elevated command prompt and set the SPNs for the app pool user using the below commands

o Setspn -s HTTP/ <Proxy Server’s NetBIOS Name> DOMAIN\APPPOOLUSER

o Setspn -s HTTP/<Proxy Server’s FQDN> DOMAIN\APPPOOLUSER

Make sure you can open Infiniti sites from the proxy server Internet explorer with no authentication problems

Changes on the Domain Controller

The below steps has to be performed on the Domain Controller for that domain

Go to Computers

Select the Reverse Proxy server

Right-click and select Properties

Go to the Delegation tab

Click on the option ‘Trust this computer for delegation to any service [Kerberos only]’

Click Ok

From a remote machine on the same domain, test if you can successfully browse to the Infiniti site using the Reverse proxy’s FQDN / NetBIOS Name

DNS alias for the site

If you want to have an alias for the site, please set up the Host header on the reverse proxy server and make sure you have an entry on your DNS pointing to the Reverse Proxy